The vulnerability in the script/cgi-bin/adm.cgi of the Wavlink WL-WN579A3 router’s microprogramming system, which allows a hacker to execute arbitrary commands.

The vulnerability of the /cgi-bin/adm.cgi file in the microprogramming software for Wavlink WL-WN579A3 is related to the lack of measures taken to neutralize special elements used in the operating system commands. Exploiting this vulnerability allows a remote attacker to execute arbitrary command...

CVE-2025-5126

A vulnerability was found in Teledyne FLIR AX8 up to 1.46.16. This vulnerability affects the function setDataTime of the file \usr\www\application\models\settingsregional.php. Performing manipulation of the argument year/month/day/hour/minute results in command injection. The attack may be...

The vulnerability of the Backup Plus (ns_backup) extension of the TYPO3 content management system allows a hacker to execute arbitrary commands.

The vulnerability of the Backup Plus nsbackup extension of the TYPO3 content management system exists due to the lack of measures taken to neutralize the special elements used in the operating system’s command line. Exploiting this vulnerability allows a remote attacker to execute arbitrary...

F5 BIG-IP iControl REST Code Execution

This is an improved version of horizon3ai's F5 BIG-IP iControl REST exploit that provides an interactive shell to run remote commands...

CVE-2025-5139

A vulnerability was found in Qualitor 8.20/8.24. It has been rated as critical. Affected by this issue is some unknown functionality of the file /html/ad/adconexaooffice365/request/testaConexaoOffice365.php of the component Office 365-type Connection Handler. The manipulation of the argument...

CVE-2025-46176

Hardcoded credentials in the Telnet service in D-Link DIR-605L v2.13B01 and DIR-816L v2.06B01 allow attackers to remotely execute arbitrary commands via firmware analysis...

CVE-2025-5126

A vulnerability was found in Teledyne FLIR AX8 up to 1.46.16. This vulnerability affects the function setDataTime of the file \usr\www\application\models\settingsregional.php. Performing manipulation of the argument year/month/day/hour/minute results in command injection. The attack may be...

PT-2025-22841 · Flir · Flir Ax8

Name of the Vulnerable Software and Affected Versions: FLIR AX8 versions up to 1.46.16 Description: A critical vulnerability was found in FLIR AX8, affecting the setDataTime function of the file usrwwwapplicationmodelssettingsregional.php. The manipulation of the arguments year, month, day, hour,...

CVE-2025-46176

Hardcoded credentials in the Telnet service in D-Link DIR-605L v2.13B01 and DIR-816L v2.06B01 allow attackers to remotely execute arbitrary commands via firmware analysis...

CVE-2025-5106

A vulnerability was found in Fujian Kelixun 1.0. It has been classified as critical. This affects an unknown part of the file /app/fax/faxview.php of the component Filename Handler. The manipulation of the argument faxfile leads to os command injection. It is possible to initiate the attack...

CVE-2025-22611

Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Prior to version 4.0.0-beta.361, the missing authorization allows any authenticated user to escalate his or any other team members privileges to any role, including the owner role. He's also able t...

CVE-2025-22605

Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Starting in version 4.0.0-beta.18 and prior to 4.0.0-beta.253, a vulnerability in the execution of commands on remote servers allows an authenticated user to execute arbitrary code on the local...

CVE-2024-47074

DataEase is an open source data visualization analysis tool. In Dataease, the PostgreSQL data source in the data source function can customize the JDBC connection parameters and the PG server target to be connected. In backend/src/main/java/io/dataease/provider/datasource/JdbcProvider.java,...

CVE-2024-47001

Hidden functionality issue in multiple digital video recorders provided by TAKENAKA ENGINEERING CO., LTD. allows a remote authenticated attacker to execute an arbitrary OS command on the device or alter the device settings...

CVE-2024-42991

MCMS v5.4.1 has front-end file upload vulnerability which can lead to remote command execution...

CVE-2024-7464

A vulnerability, which was classified as critical, has been found in TOTOLINK CP900 6.3c.566. This issue affects the function setTelnetCfg of the component Telnet Service. The manipulation of the argument telnetenabled leads to command injection. The attack may be initiated remotely. The exploit...

CVE-2024-7440

UNSUPPORTED WHEN ASSIGNED A vulnerability was found in Vivotek CC8160 VVTK-0100d. It has been classified as critical. This affects the function getenv of the file uploadfile.cgi. The manipulation of the argument QUERYSTRING leads to command injection. It is possible to initiate the attack remotel...

CVE-2024-7579

A vulnerability was found in Alien Technology ALR-F800 up to 19.10.24.00. It has been declared as critical. Affected by this vulnerability is the function popen of the file /var/www/cgi-bin/upgrade.cgi of the component File Name Handler. The manipulation of the argument uploadedFile leads to os...

CVE-2024-33344

D-Link DIR-822+ V1.0.5 was found to contain a command injection in ftext function of uploadfirmware.cgi, which allows remote attackers to execute arbitrary commands via shell...

CVE-2024-33343

D-Link DIR-822+ V1.0.5 was found to contain a command injection in ChgSambaUserSettings function of prog.cgi, which allows remote attackers to execute arbitrary commands via shell...